=== Vulnerability Mitigations

Contact: Ed Maste <emaste@FreeBSD.org> +
Contact: Konstantin Belousov <kib@FreeBSD.org> +
Contact: Marcin Wojtas <mw@FreeBSD.org> +
Contact: Dawid Górecki <dgr@semihalf.com>

We added support for enforcing a https://cgit.freebsd.org/src/commit/?id=2e1c94aa1fd582fb8ae0522f0827be719ff5fb67[write XOR execute] mapping policy.
It is enabled by setting the `kern.elf64.allow_wx` and/or `kern.elf32.allow_wx` sysctls to 0 (for 64-bit and 32-bit binaries, respectively).
Binaries can indicate that they requre writeable and executable mappings by setting the `NT_FREEBSD_FCTL_WXNEEDED` ELF feature bit, set via elfctl.

In addition, elfctl received a few usability improvements to support use by ports, targeting different FreeBSD base system versions.
We added a https://cgit.freebsd.org/src/commit/?id=f6d95a01103a49a94c876d5a51bb4be25c06d964[`-i` flag] to ignore unknown flags (so that the same elfctl invocation could be used on older FreeBSD versions) as well as the ability to  https://cgit.freebsd.org/src/commit/?id=86f33b5fcf6087bf4439881011b920ff99e6e300[specify features by value].

Flags that request opt-out of a mitigation now have a `no` prefix to make the sense clearer.
For example, the flag to indicate that the binary is not compatible with ASLR is now named `noaslr`.
Unprefixed flag names are still supported, for backwards compatibility, but will emit a warning and will be removed in a later version.

The next step is to introduce ports infrastructure to support tagging binaries in ports that require special flags.
Details can be found in https://bugs.freebsd.org/252629[PR252629].

Another update is that the base system binaries are now built as position-independent executable (PIE) https://cgit.freebsd.org/src/commit/?id=9a227a2fd642ec057a0ec70d67d5699d65553294[by default], for 64-bit architectures.
PIE executables are used in conjunction with address randomization (ASLR) as a mitigation for certain types of security vulnerabilities.
The ASLR feature still remains opt-in, however the described change allows enabling it using only sysctl knobs, without a need to rebuild the image.
Enabling PIE results in no material performance impact for most workloads.

It is also worth mentioning that a certain number of ports inherit the base systems /usr/share/mk infrastructure, and some initially failed to build after toggling the PIE setting.
All issues detected by executing the exp-run were addressed.
The details can be found in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253275[PR253275].

The next step is to try enabling ASLR by default for 64-bit architectures.
The https://reviews.freebsd.org/D27666[patch] is under discussion.

Sponsor: The FreeBSD Foundation
Sponsor: Stormshield
